Merge pull request #431 from danielinux/update-wolfssl-v5.7.0

Updated submodules: wolfSSL-v5.7.0 + wolfTPM latest

.github/workflows/footprint.yml

@@ -17,10 +17,8 @@ jobs:
 
       # Get the arm-non-eabi-gcc toolchain
       - name: Install arm-none-eabi-gcc
-        uses: fiam/arm-none-eabi-gcc@v1
-        with:
-          # The arm-none-eabi-gcc release to use.
-          release: "9-2019-q4"
+        run : |
+          sudo apt-get install -y gcc-arm-none-eabi
 
       - name: make clean
         run: |

.github/workflows/test-build-lms.yml

@@ -0,0 +1,62 @@
+name: Wolfboot Reusable Build Workflow
+
+on:
+
+  workflow_call:
+    inputs:
+      arch:
+        required: true
+        type: string
+      config-file:
+        required: true
+        type: string
+      make-args:
+        required: false
+        type: string
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - name: Workaround for sources.list
+        run: sudo sed -i 's|http://azure.archive.ubuntu.com/ubuntu/|http://mirror.arizona.edu/ubuntu/|g' /etc/apt/sources.list
+
+      - name: Update repository
+        run: sudo apt-get update
+
+      - name: Install cross compilers
+        run: |
+          sudo apt-get install -y gcc-arm-none-eabi gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gnu-efi
+
+      - name: Create lib hash-sigs
+        run: |
+          mkdir -p lib/hash-sigs/lib
+
+      - name: Clone hash-sigs repository
+        run: |
+          git clone https://github.com/cisco/hash-sigs.git lib/hash-sigs/src && \
+          cd lib/hash-sigs/src && git checkout b0631b8891295bf2929e68761205337b7c031726 && \
+          git apply ../../../tools/lms/0001-Patch-to-support-wolfBoot-LMS-build.patch && \
+          cd ../../.. 
+
+      - name: make clean
+        run: |
+          make distclean
+
+      - name: Select config
+        run: |
+          cp ${{inputs.config-file}} .config
+
+      - name: Build tools
+        run: |
+          make -C tools/keytools && make -C tools/bin-assemble
+
+      - name: Build wolfboot
+        run: |
+          make ${{inputs.make-args}}

.github/workflows/test-build-sim-tpm.yml

@@ -26,7 +26,7 @@ on:
 jobs:
 
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
       # setup ibmswtpm2

.github/workflows/test-configs.yml

@@ -169,6 +169,18 @@ jobs:
       arch: arm
       config-file: ./config/examples/stm32c0.config
 
+  stm32c0-rsa248:
+    uses: ./.github/workflows/test-build.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/stm32c0-rsa2048.config
+
+  stm32c0-lms-8-10-1:
+    uses: ./.github/workflows/test-build-lms.yml
+    with:
+      arch: arm
+      config-file: ./config/examples/stm32c0-lms-8-10-1.config
+
   stm32f4_small_blocks_uart_update_test:
     uses: ./.github/workflows/test-build.yml
     with:

.github/workflows/test-custom-tlv-simulator.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   custom_tlv_simulator_tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/test-powerfail-simulator.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   powerfail_simulator_tests:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3

config/examples/stm32c0-lms-8-10-1.config

@@ -0,0 +1,51 @@
+ARCH?=ARM
+TARGET?=stm32c0
+SIGN?=LMS
+LMS_LEVELS=1
+LMS_HEIGHT=10
+LMS_WINTERNITZ=8
+IMAGE_SIGNATURE_SIZE=1456
+IMAGE_HEADER_SIZE=2048
+HASH?=SHA256
+DEBUG?=0
+VTOR?=1
+CORTEX_M0?=1
+NO_ASM?=0
+NO_MPU?=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+DUALBANK_SWAP?=0
+
+# Enable this to support wolfBoot self-update
+RAM_CODE?=0
+
+# Use slightly smaller SHA2-256
+CFLAGS_EXTRA+=-DUSE_SLOW_SHA256
+
+# Enable this feature for secure memory support
+# Makes the flash sectors for the bootloader unaccessible from the application
+# Requires using the STM32CubeProgrammer to set FLASH_SECR -> SEC_SIZE pages
+#CFLAGS_EXTRA+=-DFLASH_SECURABLE_MEMORY_SUPPORT
+
+
+#Partition: Boot: 10KB, App, 10KB
+WOLFBOOT_PARTITION_SIZE?=0x2800
+WOLFBOOT_SECTOR_SIZE?=0x800
+#Max WOLFBOOT size is 10KB
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08002800
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x085000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x08007800
+
+#Example debugging partition for larger wolfBoot
+#Partition: Boot: 22KB, App, 4K
+#DEBUG?=1
+#WOLFBOOT_PARTITION_SIZE?=0x1000
+#WOLFBOOT_SECTOR_SIZE?=0x800
+#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08005800
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x08006800
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x08007800

config/examples/stm32c0-rsa2048.config

@@ -0,0 +1,46 @@
+ARCH?=ARM
+TARGET?=stm32c0
+SIGN?=RSA2048
+HASH?=SHA256
+DEBUG?=0
+VTOR?=1
+CORTEX_M0?=1
+NO_ASM?=0
+NO_MPU?=1
+EXT_FLASH?=0
+SPI_FLASH?=0
+ALLOW_DOWNGRADE?=0
+NVM_FLASH_WRITEONCE?=1
+WOLFBOOT_VERSION?=0
+V?=0
+SPMATH?=1
+DUALBANK_SWAP?=0
+
+# Enable this to support wolfBoot self-update
+RAM_CODE?=0
+
+# Use slightly smaller SHA2-256
+CFLAGS_EXTRA+=-DUSE_SLOW_SHA256
+
+# Enable this feature for secure memory support
+# Makes the flash sectors for the bootloader unaccessible from the application
+# Requires using the STM32CubeProgrammer to set FLASH_SECR -> SEC_SIZE pages
+#CFLAGS_EXTRA+=-DFLASH_SECURABLE_MEMORY_SUPPORT
+
+
+#Partition: Boot: 12KB, App, 8KB
+WOLFBOOT_PARTITION_SIZE?=0x2000
+WOLFBOOT_SECTOR_SIZE?=0x800
+#Max WOLFBOOT size is 10KB
+WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08003000
+WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x08005000
+WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x08007800
+
+#Example debugging partition for larger wolfBoot
+#Partition: Boot: 22KB, App, 4K
+#DEBUG?=1
+#WOLFBOOT_PARTITION_SIZE?=0x1000
+#WOLFBOOT_SECTOR_SIZE?=0x800
+#WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08005800
+#WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x08006800
+#WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x08007800

config/examples/stm32c0.config

@@ -1,8 +1,7 @@
 ARCH?=ARM
 TARGET?=stm32c0
-#Supports ED25519/SHA384 or RSA2048/SHA256
-SIGN?=RSA2048
-HASH?=SHA256
+SIGN?=ED25519
+HASH?=SHA384
 DEBUG?=0
 VTOR?=1
 CORTEX_M0?=1

docs/Targets.md

@@ -444,10 +444,13 @@ mon reset init
 Supports STM32C0x0/STM32C0x1. Instructions are for the STM Nucleo-C031C6 dev board.
 
 Tested build configurations:
-* With RSA2048 and SHA2-256 the code size is 9724 and it boots in under 1 second.
+* With RSA2048 and SHA2-256 the code size is 10988 and it boots in under 1 second.
 * With ED25519 and SHA2-384 the code size is 10024 and takes about 10 seconds for the LED to turn on.
+* With LMS-8-10-1 and SHA2-256 the code size is 8164 on gcc-13 (could fit in 8KB partition)
 
-Example 32KB partitioning on STM32-G070:
+### Example 32KB partitioning on STM32-G070
+
+with ED25519 or LMS-8-10-1:
 
 - Sector size: 2KB
 - Wolfboot partition size: 10KB
@@ -462,11 +465,28 @@ Example 32KB partitioning on STM32-G070:
 #define WOLFBOOT_PARTITION_SWAP_ADDRESS      0x08007800 /* at 30KB */
 ```
 
+with RSA2048:
+
+- Sector size: 2KB
+- Wolfboot partition size: 12KB
+- Application partition size: 8 KB
+- Swap size 2KB
+
+```C
+#define WOLFBOOT_SECTOR_SIZE                 0x800      /* 2 KB */
+#define WOLFBOOT_PARTITION_BOOT_ADDRESS      0x08003000 /* at 12KB */
+#define WOLFBOOT_PARTITION_SIZE              0x2000     /* 8 KB */
+#define WOLFBOOT_PARTITION_UPDATE_ADDRESS    0x08005000 /* at 20KB */
+#define WOLFBOOT_PARTITION_SWAP_ADDRESS      0x08007800 /* at 30KB */
+```
+
 ### Building STM32C0
 
-Reference configuration (see [/config/examples/stm32c0.config](/config/examples/stm32c0.config)).
+Reference configuration files (see [config/examples/stm32c0.config](/config/examples/stm32c0.config),
+[config/examples/stm32c0-rsa2048.config](/config/examples/stm32c0-rsa2048.config) and
+[config/examples/stm32c0-lms-8-10-1.config](/config/examples/stm32c0-lms-8-10-1.config)).
 
-You can copy this to wolfBoot root as `.config`: `cp ./config/examples/stm32c0.config .config`.
+You can copy one of these to wolfBoot root as `.config`: `cp ./config/examples/stm32c0.config .config`.
 To build you can use `make`.
 
 The TARGET for this is `stm32c0`: `make TARGET=stm32c0`.

lib/wolfTPM

@@ -1 +1 @@
-Subproject commit bc1415d0da8e882723cb1a4b2aca0764afa6aac0
+Subproject commit 6a5316f17f861d43d4cfb4a9bd61f1729904ab4d

lib/wolfssl

@@ -1 +1 @@
-Subproject commit 66596ad9e1d7efa8479656872cf09c9c1870a02e
+Subproject commit 8970ff4c34034dbb3594943d11f8c9d4c5512bd5

options.mk

@@ -625,7 +625,7 @@ ifeq ($(WOLFTPM),1)
       SIM_TPM=1
     endif
     ifeq ($(SIM_TPM),1)
-      CFLAGS+=-DWOLFTPM_SWTPM -DTPM_TIMEOUT_TRIES=0
+      CFLAGS+=-DWOLFTPM_SWTPM -DTPM_TIMEOUT_TRIES=0 -DHAVE_NETDB_H
       OBJS+=./lib/wolfTPM/src/tpm2_swtpm.o
     else
       # Use memory-mapped WOLFTPM on x86-64

src/xmalloc.c

@@ -279,6 +279,10 @@ static struct xmalloc_slot xmalloc_pool[] = {
       defined(WOLFBOOT_SIGN_RSA3072)
 
 static uint32_t sha_block[HASH_BLOCK_SIZE];
+
+#define ASNCHECK_BUF_SIZE (224)
+static uint8_t asncheck_buf[ASNCHECK_BUF_SIZE];
+
 #ifndef USE_FAST_MATH
     #ifdef WOLFBOOT_SIGN_RSA2048
         #define MP_SCHEME "SP RSA2048"
@@ -315,6 +319,7 @@ static uint32_t sha_block[HASH_BLOCK_SIZE];
     #if defined(WOLFBOOT_HASH_SHA256) || defined(WOLFBOOT_HASH_SHA384)
         { (uint8_t *)sha_block, HASH_BLOCK_SIZE * sizeof(uint32_t), 0 },
     #endif
+        { asncheck_buf, ASNCHECK_BUF_SIZE, 0 },
         { mp_digit_buf0, MPDIGIT_BUF0_SIZE, 0},
     #ifndef WOLFSSL_SP_ARM_CORTEX_M_ASM
         { mp_digit_buf1, MPDIGIT_BUF1_SIZE, 0},
@@ -335,6 +340,7 @@ static uint32_t sha_block[HASH_BLOCK_SIZE];
     #if defined(WOLFBOOT_HASH_SHA256) || defined(WOLFBOOT_HASH_SHA384)
         { (uint8_t *)sha_block, HASH_BLOCK_SIZE * sizeof(uint32_t), 0 },
     #endif
+        { asncheck_buf, ASNCHECK_BUF_SIZE, 0 },
         { mp_int_buffer0, MP_INT_TYPE_SIZE, 0},
         { mp_int_buffer1, MP_INT_TYPE_SIZE * 3, 0},
         { mp_int_buffer2, MP_INT_TYPE_SIZE, 0},

tools/test.mk

@@ -972,25 +972,25 @@ test-size-all:
 	make keysclean
 	make test-size SIGN=ED25519 LIMIT=11380
 	make keysclean
-	make test-size SIGN=ECC256  LIMIT=17696
+	make test-size SIGN=ECC256  LIMIT=17824
 	make keysclean
-	make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13572
+	make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13588
 	make keysclean
-	make test-size SIGN=RSA2048 LIMIT=10584
+	make test-size SIGN=RSA2048 LIMIT=11104
 	make keysclean
-	make test-size SIGN=RSA2048 NO_ASM=1 LIMIT=10460
+	make test-size SIGN=RSA2048 NO_ASM=1 LIMIT=11804
 	make keysclean
 	make test-size SIGN=RSA4096 LIMIT=11884
 	make keysclean
-	make test-size SIGN=RSA4096 NO_ASM=1 LIMIT=10780
+	make test-size SIGN=RSA4096 NO_ASM=1 LIMIT=11980
 	make keysclean
-	make test-size SIGN=ECC384 LIMIT=17370
+	make test-size SIGN=ECC384 LIMIT=17388
 	make keysclean
 	make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15024
 	make keysclean
 	make test-size SIGN=ED448 LIMIT=13464
 	make keysclean
-	make test-size SIGN=RSA3072 LIMIT=11236
+	make test-size SIGN=RSA3072 LIMIT=11240
 	make keysclean
-	make test-size SIGN=RSA3072 NO_ASM=1 LIMIT=10570
+	make test-size SIGN=RSA3072 NO_ASM=1 LIMIT=11792
 	make keysclean

tools/tpm/Makefile

@@ -13,7 +13,7 @@ WOLFBOOTDIR = ../..
 WOLFDIR = $(WOLFBOOTDIR)/lib/wolfssl/
 WOLFTPMDIR = $(WOLFBOOTDIR)/lib/wolfTPM/
 CFLAGS = -Wall -Wextra -Werror
-CFLAGS += -DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS -DWOLFBOOT_TPM
+CFLAGS += -DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS -DWOLFBOOT_TPM -DHAVE_NETDB_H
 CFLAGS += -I. -I$(WOLFDIR) -I$(WOLFTPMDIR) -I$(WOLFBOOTDIR)/include
 LDFLAGS =
 OBJDIR = ./